VTP Version 3

Hi Rene,

Great topic. I have one clarification with you. I am aware of that extended vlans (1006-4095) are only configurable on the switch with VTP mode set to transparent. VTP version 3 is supporting extended vlans where version 1 and 2 aren’t.

My clarification is that since a switch in VTP transparent is not synchronizing(updating) its vlans to others switches, how VTP version 3 can propagate those extended vlans to other switches ? It doesn’t make sense to me. I do hope you are the one who can make me understand. :slight_smile:

Thank you in advance.

Best Regards,



Hi Ronie,

Switches in VTP transparent mode don’t synchronizes themselves but they do forward VTP advertisements. This allows other switches to learn VLAN information.


Hi Rene,

Thank you for your response.I got the answer from Mr.Google. In VTP ver 1 and 2, we need to set the VTP mode to transparent before creating extended vlans. In VTP ver 3, we can create extended vlans with VTP server mode itself.

I am cleared now :slight_smile:


Best Regards,


Hi Rene

Quick question , in a switch network running VTP VER 3, a primary server has revision number 201, if a new switch running vtp3 server mode reversion umber 301 is connected with same domain name, will the other switches (client) update their database learned from switch with reversion number 301, or they will only take their update from primary server.





With VTP v3 switches will only synchronize with the primary server.

So with VTP v3 revision numbers no longer have any place which is great but am I correct in understanding that any switch in the VTP domain can become a primary server? What if i have 2 distro switches and X amount of access switches. Realistically I would want my vlan creations and my primary server on the DISTRO but what stops another administrator from promoting an access layer switch to primary?

You can set a VTP v3 password that prevents a device from becoming primary without it. This is done via
(config)#vtp password <PASSWORD> hidden
Where the “hidden” keyword will obfuscate the password in the config.

Well that prevents any unauthorized switches from joining the VTP domain but once those switches agree on domain name and password what is to stop an administrator from choosing another switch other than the VTP primary and choosing that other switch as the VTP primary?

Actually,you helped me figure out thank you. You are correct in your reply I guess I just had a brain fart :slight_smile:

From the CISCO documentation - Thanks Andrew !!

Switch(config)# vtp password mypassword hidden
 Generating the secret associated to the password.
 Switch(config)# end
 Switch# show vtp password
 VTP password: 89914640C8D90868B6A0D8103847A733

Switch# vtp primary vlan
 Enter VTP password: mypassword
 This switch is becoming Primary server for vlan feature in the VTP  domain

 VTP Database Conf Switch ID      Primary Server Revision System Name           
 ------------ ---- -------------- -------------- -------- --------------------
 VLANDB       Yes  00d0.00b8.1400=00d0.00b8.1400 1        stp7                  

 Do you want to continue (y/n) [n]? y
Enabling the VTP Version

HI Rene,

There are an little error in this sentence:

Let’s see if we are able to synchronize some VLANs. We’ll start with something simple:

SW1(config)#vlan 100

I think its SW1 instead of SW2(config-vlan)#exit

Thanks for all! very easy to study with your explanations.

Thanks Luis, we will correct it.

Hi rene

What if we have VLAN MODE OFF - will ‘VTP mode off’ still support the extended VLANs / Private VLANs like transparent mode?

Any help is appreciated


Hello Abhishek.

I’m not sure what you mean by VLAN MODE OFF. Do you mean VTP mode off? In any case, if I understand your question correctly, the VTP off mode allows you to turn off VTP either per port or globally. The difference between off and transparent modes is that transparent will forward VTP advertisements while off will not. Also, if it is turned off, normal-range, extended-range and private VLANS will not participate in VTP.

I hope this has been helpful!


19 posts were merged into an existing topic: VTP Version 3

Hi Laz,

I have topology S1–S2–S3 and I configured VTPv3 its working fine, but I tweaked and added VTP password for S1 and S3 but not S2 to find out if S2 will forward the VTP updates.

But I found that S2 its not forwarding the VTP updates to S3, is that normal or I’m missing something.


Hello Jama

Yes this is normal. If a switch is configured as a CLIENT with a specific VTP domain, then it will only forward VTP updates that are in its own domain. If you change the password, it cannot register to the VTP server and thus will not accept VTP updates from the specific domain (or from any domain), because it doesn’t properly belong to it. The only way to have a switch forward VTP updates is in transparent mode.

I hope this has been helpful!


1 Like

Dear Rene,

I am wondering what is the real difference between server (which is not a primary) and client modes in VTP v3? both cannot modify vlan information and both are propagating vtp updates ryt? what is the need of having those 2 modes??

Hello Roshan

The purpose of the two types of servers (secondary and primary) are to improve redundancy. Specifically, a secondary server stores the received configuration in a local permanent storage space (for example, NVRAM) and updates other devices in the same domain and for the same instance. In the event that the primary server fails, a secondary server can be promoted to be a primary server. More information about this procedure and its benefits over VTPv1 and v2 can be found in the following Cisco Documentation:

I hope this has been helpful!


1 Like

Hi Rene,

Can we enable VTP on a stack enabled switch or its only supported on Standalone switches.


Hello Selva

VTP functions on a switch stack just the same as it does on a standalone switch. When a siwtch joins the stack, it inherits the VTP and VLAN properties of the stack master, and all VTP updates are carried across the stack. You can find out more about how VTP functions on a stack by looking at this Cisco documentation.

I hope this has been helpful!